A “botnet” generally refers to a collection of compromised hosts (often referred to as “zombie” computers/devices) running a malicious application (referred to as a “bot”) that allows the compromised hosts to be remotely controlled. The bots are controlled by a “bot master” (or “bot herder”) through a “command and control” (C&C) channel. For example, bots can be implemented as individual programs (referred to as “software agents”), and the C&C channel connects the botnet to a server (referred to as a “C&C server”) forwarding instructions to the bots.
For example, the bot master may send out malware, such as a virus or worm, that infects computing devices with a bot. The bot may be executed on the infected computing devices and may communicate with the C&C server to receive instructions. Some bots may also automatically scan their computing/device environment and propagate themselves to other computers/devices using vulnerabilities (e.g., weak passwords). A bot may execute in a stealth mode to avoid detection and may communicate with the C&C server using a covert channel, such as an Internet Relay Chat (IRC) channel defined in Internet Engineering Task Force (IETF) Request for Comments (RFC) 1459.